@@ -55,6 +55,7 @@

 #include "perflogging.h"

 #include "bytecode_priv.h"

 #include "bytecode_api_impl.h"

+#include "yara_clam.h"

 #ifdef CLI_PERF_LOGGING

@@ -751,7 +752,17 @@ static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data

 static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid)

 {

-    return CL_CLEAN;

+    struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid];

+    uint8_t * code_start = ac_lsig->u.code_start;

+    int rc = 0;

+    YR_SCAN_CONTEXT context = {0}; //FIXME (populate from ldb)

+  

+    rc = yr_execute_code(ac_lsig, acdata, &context, 0, 0);

+

+    if (rc == CL_VIRUS)

+        cli_append_virus(ctx, ac_lsig->virname);

+

+    return rc;

 }

 int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash)

@@ -3456,6 +3456,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

             cli_yaramsg("STRING_FITS_IN_ATOM       yes\n");

         */

 #endif

+        string->subsig_id = ytable.tbl_cnt;

     }

     if (str_error > 0) {

@@ -3651,10 +3652,10 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,

         cli_errmsg("cli_loadyara: failed to parse rules file %s, error count %i\n", dbname, rc);

         yr_hash_table_destroy(compiler.rules_table, NULL);

         yr_hash_table_destroy(compiler.objects_table, NULL);

-        yr_arena_destroy(compiler.sz_arena);

-        yr_arena_destroy(compiler.rules_arena);

+        //        yr_arena_destroy(compiler.sz_arena);

+        //        yr_arena_destroy(compiler.rules_arena);

         yr_arena_destroy(compiler.code_arena);

-        yr_arena_destroy(compiler.strings_arena);

+        //        yr_arena_destroy(compiler.strings_arena);

         yr_arena_destroy(compiler.metas_arena);

 #ifdef YARA_FINISHED

         return CL_EMALFDB;

@@ -3680,10 +3681,10 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,

     yr_hash_table_destroy(compiler.rules_table, NULL);

     yr_hash_table_destroy(compiler.objects_table, NULL);

-    yr_arena_destroy(compiler.sz_arena);

-    yr_arena_destroy(compiler.rules_arena);

+    //    yr_arena_destroy(compiler.sz_arena);

+    //    yr_arena_destroy(compiler.rules_arena);

     yr_arena_destroy(compiler.code_arena);

-    yr_arena_destroy(compiler.strings_arena);

+    //    yr_arena_destroy(compiler.strings_arena);

     yr_arena_destroy(compiler.metas_arena);

     if(rc)

@@ -54,6 +54,7 @@ limitations under the License.

 #define META_TYPE_STRING    2

 #define META_TYPE_BOOLEAN   3

+

 #define STRING_GFLAGS_REFERENCED        0x01

 #define STRING_GFLAGS_HEXADECIMAL       0x02

 #define STRING_GFLAGS_NO_CASE           0x04

@@ -546,10 +547,12 @@ typedef struct _yc_string {

     STAILQ_ENTRY(_yc_string) link;

     int32_t g_flags;

     int32_t length;

-    

+

     DECLARE_REFERENCE(char*, identifier);

     DECLARE_REFERENCE(uint8_t*, string);

     DECLARE_REFERENCE(struct _YR_STRING*, chained_to);

+

+    int32_t subsig_id;

 } yc_string;

 typedef struct _yc_compiler {

@@ -48,6 +48,7 @@ typedef struct _YR_MATCH

 } YR_MATCH;

 // End of temp for clamAV

+#include "matcher.h"

 #include "yara_clam.h"

 #include "yara_exec.h"

 #endif

@@ -103,7 +104,8 @@ int yr_execute_code(

 #if REAL_YARA

     YR_RULES* rules,

 #else

-    uint8_t* ip,

+    struct cli_ac_lsig * aclsig,

+    struct cli_ac_data * acdata,

 #endif

     YR_SCAN_CONTEXT* context,

     int timeout,

@@ -118,6 +120,10 @@ int yr_execute_code(

   int32_t sp = 0;

 #if REAL_YARA

   uint8_t* ip = rules->code_start;

+#else

+  uint8_t* ip = aclsig->u.code_start;

+  uint32_t lsig_id;

+  uint32_t rule_matches = 0;

 #endif

   YR_RULE* rule;

@@ -143,13 +149,20 @@ int yr_execute_code(

   while(1)

   {

+    cli_errmsg("yara_exec: executing %i\n", *ip);

     switch(*ip)

     {

       case OP_HALT:

         // When the halt instruction is reached the stack

         // should be empty.

         assert(sp == 0);

+#if REAL_YARA

         return ERROR_SUCCESS;

+#else

+        if (rule_matches != 0)

+            return CL_VIRUS;

+        return CL_SUCCESS;

+#endif

       case OP_PUSH:

         r1 = *(uint64_t*)(ip + 1);

@@ -407,8 +420,7 @@ int yr_execute_code(

 #if REAL_YARA

           rule->t_flags[tidx] |= RULE_TFLAGS_MATCH;

 #else

-        //tbd clamav

-          rule->g_flags |= RULE_TFLAGS_MATCH;

+        rule_matches++;

 #endif

         #ifdef PROFILING_ENABLED

@@ -674,18 +686,28 @@ int yr_execute_code(

         count = 0;

         pop(r1);

+#if REAL_YARA

         while (r1 != UNDEFINED)

         {

           string = UINT64_TO_PTR(YR_STRING*, r1);

-#if REAL_YARA

           if (string->matches[tidx].tail != NULL)

             found++;

+          count++;

+          pop(r1);

+        }

 #else

-        //TBD: clamav

-#endif

+        lsig_id = aclsig->id;

+        for (i = 0; i < aclsig->tdb.subsigs; i++) {

+            if (acdata->lsigsuboff_first[lsig_id][i] != CLI_OFF_NONE) {

+                found++;

+            }

+        }

+        while (r1 != UNDEFINED)

+        {

           count++;

           pop(r1);

         }

+#endif

         pop(r2);

@@ -90,7 +90,8 @@ int yr_execute_code(

 #if REAL_YARA

     YR_RULES* rules,

 #else

-    uint8_t* ip,

+    struct cli_ac_lsig * aclsig,

+    struct cli_ac_data * acdata,

 #endif

     YR_SCAN_CONTEXT* context,

     int timeout,